From: "Maciej Żenczykowski" <maze@google.com>
To: David Miller <davem@davemloft.net>
Cc: Lorenzo Colitti <lorenzo@google.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
Stephen Hemminger <stephen@networkplumber.org>,
Linux NetDev <netdev@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>, Erik Kline <ek@google.com>,
Dmitry Torokhov <dtor@google.com>
Subject: Re: Add a SOCK_DESTROY operation to close sockets from userspace
Date: Thu, 19 Nov 2015 17:00:39 -0800 [thread overview]
Message-ID: <CANP3RGcPhry4S3-+SuTtVGCd=Ln4jQ0LrDb_V5bAFUpdzFojBA@mail.gmail.com> (raw)
In-Reply-To: <20151119.195504.2050784646947745419.davem@davemloft.net>
>> In this case, userspace knows that that app's connections are now
>> unusable because it configured an iptables rule to block them. The
>> kernel doesn't really know until it the time comes to send a packet,
>> and maybe not even then.
>
> Netfilter could perform signalling on skb->sk when it drops packets.
>
> Your example is actually a argument _for_ doing this in the kernel.
That only (currently) works if a socket actually tries to send something.
Idle sockets (for example a socket used for push notification from the
remote server) still end up blocking forever.
If you were to, whenever the firewall configuration is changed,
iterate through all sockets in the system and generate a pair of fake
0-data packets (for both directions) for every socket to see if it
would get blocked by the firewall... but that seems quite insane.
next prev parent reply other threads:[~2015-11-20 1:00 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-18 1:43 Add a SOCK_DESTROY operation to close sockets from userspace Lorenzo Colitti
2015-11-18 1:43 ` [PATCH 1/4] net: diag: split inet_diag_dump_one_icsk into two Lorenzo Colitti
2015-11-18 1:43 ` [PATCH 2/4] net: diag: Add the ability to destroy a socket from userspace Lorenzo Colitti
2015-11-18 1:43 ` [PATCH 3/4] net: diag: Support SOCK_DESTROY for inet sockets Lorenzo Colitti
2015-11-18 1:43 ` [PATCH 4/4] net: diag: Support destroying TCP sockets Lorenzo Colitti
2015-11-18 3:43 ` kbuild test robot
2015-11-18 4:46 ` Lorenzo Colitti
2015-11-18 4:25 ` kbuild test robot
2015-11-18 3:27 ` Add a SOCK_DESTROY operation to close sockets from userspace Stephen Hemminger
[not found] ` <CAAedzxqiXnKzCyevNipNnXEc_+TEjnVphLfseTo4ykZ8SAVt_w@mail.gmail.com>
2015-11-18 3:36 ` Erik Kline
2015-11-18 3:57 ` Maciej Żenczykowski
2015-11-18 11:56 ` David Laight
2015-11-18 4:04 ` Eric Dumazet
2015-11-18 10:19 ` Hannes Frederic Sowa
2015-11-18 10:47 ` Lorenzo Colitti
2015-11-18 11:19 ` Hannes Frederic Sowa
2015-11-18 12:54 ` Eric Dumazet
2015-11-18 13:04 ` Lorenzo Colitti
2015-11-18 13:31 ` Hannes Frederic Sowa
2015-11-18 14:45 ` Lorenzo Colitti
2015-11-18 14:56 ` Hannes Frederic Sowa
2015-11-18 15:16 ` Eric Dumazet
2015-11-18 15:32 ` Hannes Frederic Sowa
2015-11-18 15:33 ` Hannes Frederic Sowa
2015-11-18 20:35 ` David Miller
2015-11-18 20:43 ` Hannes Frederic Sowa
2015-11-19 3:49 ` David Miller
2015-11-19 5:12 ` Tom Herbert
2015-11-19 15:54 ` Hannes Frederic Sowa
2015-11-19 23:54 ` Maciej Żenczykowski
2015-11-19 5:13 ` Lorenzo Colitti
2015-11-19 5:53 ` David Miller
2015-11-19 7:19 ` Maciej Żenczykowski
2015-11-19 15:48 ` David Miller
2015-11-19 16:19 ` Eric Dumazet
2015-11-19 16:33 ` David Miller
2015-11-19 16:43 ` Eric Dumazet
2015-11-19 16:50 ` David Miller
2015-11-19 16:47 ` Eric Dumazet
2015-11-19 17:02 ` David Miller
2015-11-19 17:44 ` Eric Dumazet
2015-11-19 22:55 ` Lorenzo Colitti
2015-11-19 17:08 ` Hannes Frederic Sowa
2015-11-19 17:38 ` Tom Herbert
2015-11-19 18:09 ` David Miller
2015-11-19 18:27 ` Hannes Frederic Sowa
2015-11-19 23:02 ` Hannes Frederic Sowa
2015-11-19 23:47 ` Lorenzo Colitti
2015-11-19 22:33 ` Lorenzo Colitti
2015-11-19 22:38 ` Hannes Frederic Sowa
2015-11-19 23:24 ` Tom Herbert
2015-11-19 21:29 ` Tom Herbert
2015-11-19 21:41 ` Eric Dumazet
2015-11-19 21:53 ` Hannes Frederic Sowa
2015-11-19 22:04 ` Eric Dumazet
2015-11-19 22:09 ` Hannes Frederic Sowa
2015-11-19 22:15 ` Eric Dumazet
2015-11-19 22:31 ` Hannes Frederic Sowa
2015-11-19 22:36 ` Eric Dumazet
2015-11-19 21:53 ` Tom Herbert
2015-11-19 22:07 ` Eric Dumazet
2015-11-19 22:14 ` Tom Herbert
2015-11-19 22:33 ` Eric Dumazet
2015-11-20 0:04 ` Tom Herbert
2015-11-20 0:09 ` Lorenzo Colitti
2015-11-20 0:15 ` Tom Herbert
2015-11-20 2:25 ` Maciej Żenczykowski
2015-12-01 2:32 ` Lorenzo Colitti
2015-12-01 2:32 ` [PATCH v3 1/4] net: diag: split inet_diag_dump_one_icsk into two Lorenzo Colitti
2015-12-01 2:32 ` [PATCH v3 2/4] net: diag: Add the ability to destroy a socket from userspace Lorenzo Colitti
2015-12-01 2:32 ` [PATCH v3 3/4] net: diag: Support SOCK_DESTROY for inet sockets Lorenzo Colitti
2015-12-01 2:32 ` [PATCH v3 4/4] net: diag: Support destroying TCP sockets Lorenzo Colitti
2015-12-01 6:23 ` kbuild test robot
2015-12-01 7:12 ` Lorenzo Colitti
2015-12-01 2:53 ` Add a SOCK_DESTROY operation to close sockets from userspace Tom Herbert
2015-12-02 15:18 ` Lorenzo Colitti
2015-12-02 16:12 ` Tom Herbert
2015-12-02 16:30 ` Lorenzo Colitti
2015-12-02 17:09 ` Tom Herbert
2015-12-14 17:29 ` Lorenzo Colitti
2015-12-14 17:29 ` [PATCH v5 1/4] net: diag: Add the ability to destroy a socket Lorenzo Colitti
2015-12-14 17:29 ` [PATCH v5 2/4] net: diag: split inet_diag_dump_one_icsk into two Lorenzo Colitti
2015-12-14 17:29 ` [PATCH v5 3/4] net: diag: Support SOCK_DESTROY for inet sockets Lorenzo Colitti
2015-12-14 17:29 ` [PATCH v5 4/4] net: diag: Support destroying TCP sockets Lorenzo Colitti
2015-12-14 17:51 ` kbuild test robot
2015-12-14 17:52 ` Tom Herbert
2015-12-14 18:03 ` Eric Dumazet
2015-12-14 19:37 ` David Miller
2015-12-15 17:17 ` [PATCH v5 4/4] net: diag: Support destroying TCP socketsr Lorenzo Colitti
2015-12-15 17:17 ` [PATCH v6 1/4] net: diag: split inet_diag_dump_one_icsk into two Lorenzo Colitti
2015-12-15 17:44 ` Eric Dumazet
2015-12-15 17:17 ` [PATCH v6 2/4] net: diag: Add the ability to destroy a socket Lorenzo Colitti
2015-12-15 17:44 ` Eric Dumazet
2015-12-15 17:17 ` [PATCH v6 3/4] net: diag: Support SOCK_DESTROY for inet sockets Lorenzo Colitti
2015-12-15 17:45 ` Eric Dumazet
2015-12-15 17:17 ` [PATCH v6 4/4] net: diag: Support destroying TCP sockets Lorenzo Colitti
2015-12-15 17:46 ` Eric Dumazet
2015-12-15 18:36 ` [PATCH v5 4/4] net: diag: Support destroying TCP socketsr Maciej Żenczykowski
2015-12-15 18:46 ` Rustad, Mark D
2015-12-15 18:38 ` David Miller
2015-11-20 0:12 ` Add a SOCK_DESTROY operation to close sockets from userspace Maciej Żenczykowski
2015-11-20 0:19 ` Lorenzo Colitti
2015-11-20 0:55 ` David Miller
2015-11-20 1:00 ` Maciej Żenczykowski [this message]
2015-11-20 1:55 ` Lorenzo Colitti
2015-11-20 16:51 ` David Ahern
2015-11-18 3:56 ` Tom Herbert
2015-11-18 4:23 ` Lorenzo Colitti
2015-11-18 4:31 ` Tom Herbert
2015-11-18 10:12 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANP3RGcPhry4S3-+SuTtVGCd=Ln4jQ0LrDb_V5bAFUpdzFojBA@mail.gmail.com' \
--to=maze@google.com \
--cc=davem@davemloft.net \
--cc=dtor@google.com \
--cc=edumazet@google.com \
--cc=ek@google.com \
--cc=eric.dumazet@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).